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FIG. 1 



SC and IP work together to 
identify parameters of authorization 
service. 
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SC and IP work together to 
identify customer and employee 
information needed to respond 
to an authorization request. 
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SC and IP work together to define 
a credential-record format for 
storing categories of information. 



SC and IP work together to 
identify any additional information 
necessary to respond to 
authorization request. 
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FIG. 3 



O 

m 

a 

0 

m 

o 

O 

o 



SC and IP work together to create 
a messaging specification. 






SC and IP work together to define 
implemenation rules. 
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IP presents the proposed 
authorization service to a policy 
management authority at Root. 
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Root-entity policy management 
authority reviews proposed service. 
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FIG. 3 (cont'd) 





Root-entity policy management 


^308 




Authority reviews proposed 
service. 
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No 






Root-entity policy management 
authority notifes IP. 
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Root stores messaging 
specification and implementation 
rules in central repository and 
notifies IP. 
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IP stores approved messaging 
specification and implementation 
rules in directory and notifies SC. 
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FIG. 3 (cont'd) 
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SC supplies attribute information 
to populate credential records for 
SC's employees. 
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IP establishes a credential record 
for each employee of SC. 
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IP stores credential records in 
directory. 
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FIG. 3 (cont'd.) 



John Smith (JS) visits Web site of 
XYZ Co. (XYZ). 
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XYZ Web serve 
data to be digita 
browser. 


r communicates 
lly signed to JS's 


> 





Data to be signed is forwarded to 
smartcard which signs the data to 
create digitally-signed document. 
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JS's browser receives digitally- 
signed document and transmits 
it to XYZ's Web server. 
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FIG. 4 



XYZ receives digitally- 
signed document 
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XYZ decide to check 
whether JS authorized to sign 
data (e.g., purchase order) 







Go to step 


c Yes 


416 





XYZ determines whether it has 
appropriate message format for 
desired authorization request 
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No 



XYZ generates request for 
appropriate authorization request 
format, signs the request 
and sends it to Bank B. 
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FIG. 4 (cont'd) 



Bank B forwards the 
request to root entity 
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Root entity receives the request 
and retrieves from central repository 

access control implementation 
rules for the service identified 
in the request 



Go to step 
414 



Yes 



Root entity applies the access control 
implementation rules to determine 

whether or not XYZ is authoriized to 
receive the requested authorization 

request message format 



No 



Root entity generates rejection 
message, signs it, and 
sends it to Bank B. 



FIG. 4 (cont'd) 



Bank B forwards rejection 
message to XYZ 
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Root retrieve from central repository 
requested authorization request 
message format, signs message 
including format, and forwards 

message to Bank B. 



Bank B forwards 
message to XYZ 
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XYZ use authorization request 
message format to generate 
authorization request 



FIG. 4 (cont'd) 
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XYZ signs authorization 
request message and send 
it to Bank B 
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Bank B forwards authorization 
request to Bank A 
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Go to step 
428 



Yes 



Bank A receives request, checks 
repository for appropriate 
messaging specification data 



,419 



No 



Bank A generates a request 
for this data, signs it, and 
sends it to root entity 
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FIG. 4 (cont'd) 



Go to step 
426 



Root receives the request and 
retrieves from central repository any 
applicable access-control 
implementation rules necessary 
to process the request 



Root applies access control 
Yes implementation rules to determine 
whether or not it will release 
requested message format 



No 



Root generates a rejection 
message, signs it, and 
forwards it to Bank A 



Bank A generates a message 
indicating that it cannot process 
the authorization request, signs 
it, and forwards it to Bank B 
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FIG. 4 (cont'd) 



Bank B forwards 
message to XYZ 



Root retrieves from 
central repository requested 
authorization response message 
format, sign message including 
format, forwards it to Bank A 



Bank A retrieves from directory 
credential record for individual that 
is the subject or the authorization 
request and any necessary 
d efin itions and mapping 



Bank A generates authorization 
response message 



FIG. 4 (cont'd) 
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Go to step 
432 



Not 
Satisfactory 



Bank A signs the authorization 
response message and 
sends it to Bank B 



.429 
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Bank B transmits authorization 
response message to XYZ 
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Satisfactory 


XYZ sends confirmation 
message to JS 
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.431 



XYZ send message to JS 
disaffirming the transaction 
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FIG. 4 (cont'd) 




FIG. 5 



SC visits RC's Web site 
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RC's Web server communicates 
data to be digitally-signed to SC's 
browser 



Data to be signed is forwarded to 
SC's smart card which signs the 
data to create a digitally-signed 
document 



SC's browser receives the digitally- 
signed document and transmits it to 
RC's Web server 
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FIG. 6 



RC receives digitally-signed 
document 
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RC generates an authorization 
request message 
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RC creates an OCSP request for 
SC's certificate 
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RC concatenates the two requests 
and signs the resulting message 
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FIG. 6 (cont'd) 



RC transmits request(s) to RP 



RP identifies IP that issued 
certificate that is subject of OCSP 
request 



RP forwards the request to IP 



IP processes authorization request 



FIG. 6 (cont'd) 



IP create OCSP response for 
validation request 
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IP concatenates authorization 
response and OCSP response 
and signs the resulting message 
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IP transmits response(s) to RP 
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RP forwards response(s) to RC 
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FIG. 6 (cont'd) 
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Go to step 
619 



Not 
Satisfactory 



RC reviews the responses 



Satisfactory 



XYZ sends confirmation 
to SC 



RC may send message to 
SC disaffirming the transaction 
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FIG. 6 (confd) 
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FIG. 7 



